The Open Authorization (OAuth) implementation in well-known web services, such as Grammarly, Vidio, and Bukalapak, has come under scrutiny due to critical security issues. These vulnerabilities extend from previous shortcomings identified in Booking.com and Expo.
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
During the period from February to April 2023, security researchers identified potential threats where malicious actors could obtain access tokens, potentially leading to the hijacking of user accounts. Fortunately, these vulnerabilities were addressed promptly by the respective companies following responsible disclosure.
OAuth Platforms are widely adopted standard used as a means for cross-application access. This mechanism enables users to grant websites or applications access to their data stored on other websites, such as Facebook, without the need to share their passwords.
“When OAuth Platforms are used to provide service authentication, any security breach in it can lead to identity theft, financial fraud, and access to various personal information including credit card numbers, private messages, health records, and more, depending on the specific service being attacked,” Aviad Carmel, a Salt Security researcher, explained.
The vulnerability discovered in Vidio is the absence of token verification, which means that an attacker can employ an access token intended for another App ID. An App ID, a random identifier generated by Facebook for registered applications or websites within its developer portal, plays a crucial role in this process.
For instance, Vidio.com, associated with App ID 92356, could become the target of an attack if a malicious actor were to create a deceptive website offering a Facebook sign-in option. Through this ploy, they could steal access tokens and then exploit them against Vidio.com, potentially gaining complete control over the targeted account.
Additionally, the API security company identified a similar token verification issue on Bukalapak.com when users logged in using their Facebook credentials. This oversight could pose a threat to the security of user accounts.
Whenever a user attempts to log in to their Grammarly account using the “Sign in with Facebook” option, an HTTP POST request is sent to auth.grammarly[.]com. This request serves the purpose of authenticating the user by utilizing a secret code, a mechanism that was identified during the investigation of Grammarly.
While Grammarly doesn’t exhibit the same token reuse vulnerability seen in Vidio and Bukalapak, it is susceptible to a distinct issue. In this case, the POST request can potentially be manipulated to replace the secret code with an access token acquired from a malicious website mentioned earlier. This manipulation could lead to unauthorized access to the Grammarly account, making it vulnerable to a different type of threat.
“And like with the other sites, the Grammarly implementation did not perform token verification,” Carmel explained, stating that “an account takeover would give an attacker access to the victim’s stored documents.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.